Other issues in this category (27)
Tricks with files
If you've ever seen the results of comparative anti-virus software tests, you’ve probably noticed that the number of objects scanned can vary greatly depending on the product being tested. And sometimes these figures are significantly higher than the number of files in a scanned collection. The reason for this is rather prosaic.
An anti-virus is also a universal decompressor that allows any object to be split into parts, even a corrupted object that can’t be processed by any archive extraction utility.
Here are just two paragraphs of anti-virus requirements from a tender document:
The installed anti-virus must scan:
- files and objects in the following formats: Smart Install Maker (SIM); DMG, HFS, XAR, Universal Binary (MacOS); SIS (Symbian 9); INNO SETUP (5.3.9 and later); SETUP FACTORY (line-up 7,8); XENOCODE; TARMA INSTALL (line-up 3); XZ (UNIX); COMPRESS; SQUAHFS; CHILKAT ZIP; and LHA packages (AWARD BIOS),
- files and objects in the following self-extracting archives: AppPackager, Astrum Install Wizard, Create Install, Fly Studio, GSFX, Hot Soup, Inno Setup, Install Essen, Install Factory, Linder Setup, NSIS (NullSoft Installation System), RSFX, SEA, Setup Factory, Setup Generator Pro, SXA ZIP, Tarma Install, Thunder Setup System, Wise Installation System, and Alloy.
And far more formats exist than that!
But even ordinary anti-virus scanning can present surprises with regards to the number of objects scanned. Take, for example, a zero-size file:
Let's have the anti-virus scan it.
What’s this? A miracle? Why have two objects been scanned? Was the counter bumped up? Actually, everything is on the level: an anti-virus scans files (and folders) according to parameters that are invisible to ordinary users.
Remember the fictional character Mary Poppins who had a magical handbag in which she could store all sorts of items, no matter what shape or size? Neither the size nor the weight of her handbag ever changed. Files and directories in the NTFS file system used in Windows are just like that “magical handbag”.
Everyone knows that a file has attributes—read and write permissions.
But, in addition to these attributes, you can assign others for a file (and a folder)—and they won’t be visible to users who use traditional file managers.
For example, in a zero-size file, you can write another file.
Take an eicar test virus (for example, at http://www.eicar.org/85-0-Download.html). This "program" (EICAR-European Institute for Computer Anti-Virus Research) has been specially designed to let users see how an anti-virus will report a detected virus, without subjecting their computers to any danger.
But don’t forget to disable your anti-virus protection before you download this test file; otherwise, you will see something like this:
Go to a command line, and copy the downloaded fake anti-virus into any file.
Open a file manager, and make sure that the file size has not changed:
After this, scan this file:
So that's how you can hide some important objects from a user's attention.
- Conduct experiments on computers that are disconnected from a local network.
- Don't forget to run an anti-virus scan immediately after your experiments have finished.
After all, each case is unique…
The Dr.Web anti-virus finds viruses no matter where they may be hiding. But there’s no reason to hope that you know your system better than cybercriminals and that you’ll absolutely notice a virus when one appears. You shouldn’t overestimate your capabilities and underestimate cybercriminals!